From bd83c19cc79f8142923f1e9675ecdad8d38b1cf2 Mon Sep 17 00:00:00 2001
From: Matt Rodgers <mrodgers@witekio.com>
Date: Wed, 27 Nov 2024 12:52:39 +0000
Subject: [PATCH] samples: http_server: update cipher suites and certificates

Existing cipher suites and certificates used by HTTP server sample are
included in RFC9113 Appendix A: Prohibited TLS 1.2 Cipher Suites. The
RFC specifies that when using HTTP/2, these cipher suites may be treated
as an error of type INADEQUATE_SECURITY, and in practice it seems that
Chrome and Firefox do implement this.

The certificates have been updated to use ECDSA-P265 signatures, and
supported cipher suites updated to include ECDH key exchange and AES GCM
and CCM modes.

Some scripts are included to allow users to generate their own
certificates if desired.

Signed-off-by: Matt Rodgers <mrodgers@witekio.com>
---
 .../net/sockets/http_server/CMakeLists.txt    |  14 +++++
 samples/net/sockets/http_server/prj.conf      |   8 +++
 .../sockets/http_server/src/certs/.gitignore  |   3 ++
 .../sockets/http_server/src/certs/ca_cert.pem |  13 +++++
 .../http_server/src/certs/gen_ca_cert.sh      |  17 +++++++
 .../http_server/src/certs/gen_server_cert.sh  |  48 ++++++++++++++++++
 .../http_server/src/certs/server_cert.der     | Bin 693 -> 543 bytes
 .../http_server/src/certs/server_privkey.der  | Bin 1219 -> 121 bytes
 8 files changed, 103 insertions(+)
 create mode 100644 samples/net/sockets/http_server/src/certs/.gitignore
 create mode 100644 samples/net/sockets/http_server/src/certs/ca_cert.pem
 create mode 100644 samples/net/sockets/http_server/src/certs/gen_ca_cert.sh
 create mode 100644 samples/net/sockets/http_server/src/certs/gen_server_cert.sh

diff --git a/samples/net/sockets/http_server/CMakeLists.txt b/samples/net/sockets/http_server/CMakeLists.txt
index 1f793c1fcef..b860f8a07ce 100644
--- a/samples/net/sockets/http_server/CMakeLists.txt
+++ b/samples/net/sockets/http_server/CMakeLists.txt
@@ -20,6 +20,20 @@ if(CONFIG_NET_SOCKETS_SOCKOPT_TLS AND
   add_dependencies(app development_psk)
 endif()
 
+set(CERTS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/src/certs)
+
+add_custom_target(sample_ca_cert
+  WORKING_DIRECTORY ${CERTS_DIR}
+  COMMAND sh gen_ca_cert.sh
+  COMMENT "Generating sample CA certificate"
+)
+
+add_custom_target(sample_server_cert
+  WORKING_DIRECTORY ${CERTS_DIR}
+  COMMAND sh gen_server_cert.sh
+  COMMENT "Generating sample server certificate"
+)
+
 option(INCLUDE_HTML_CONTENT "Include the HTML content" ON)
 
 target_sources(app PRIVATE src/main.c)
diff --git a/samples/net/sockets/http_server/prj.conf b/samples/net/sockets/http_server/prj.conf
index aa04b93f223..73024d1aca1 100644
--- a/samples/net/sockets/http_server/prj.conf
+++ b/samples/net/sockets/http_server/prj.conf
@@ -69,6 +69,14 @@ CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
 CONFIG_TLS_CREDENTIALS=y
 CONFIG_TLS_MAX_CREDENTIALS_NUMBER=5
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_ECP_C=y
+CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
+CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
 
 # Networking tweaks
 # Required to handle large number of consecutive connections,
diff --git a/samples/net/sockets/http_server/src/certs/.gitignore b/samples/net/sockets/http_server/src/certs/.gitignore
new file mode 100644
index 00000000000..96aff7026ab
--- /dev/null
+++ b/samples/net/sockets/http_server/src/certs/.gitignore
@@ -0,0 +1,3 @@
+*.pem
+!ca_cert.pem
+*.ext
diff --git a/samples/net/sockets/http_server/src/certs/ca_cert.pem b/samples/net/sockets/http_server/src/certs/ca_cert.pem
new file mode 100644
index 00000000000..38ea9d14c99
--- /dev/null
+++ b/samples/net/sockets/http_server/src/certs/ca_cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5DCCAYmgAwIBAgIUXHpFEmhwtzDyteoz+ZSOhyQ6xzUwCgYIKoZIzj0EAwIw
+RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
+dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwIBcNMjQxMTI3MTE1ODUwWhgPMjEyNDEx
+MDMxMTU4NTBaMEYxFjAUBgNVBAoMDVplcGh5cnByb2plY3QxLDAqBgNVBAMMI1pl
+cGh5cnByb2plY3QgU2FtcGxlIERldmVsb3BtZW50IENBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEvCX35MoLVdt4STWeomwFjuLV8nAz+K1IIc5PrfD9nVhLZfOS
+Z35O9dTEMvn1dP2MqUqjL6wWA3oSnvItU81qD6NTMFEwHQYDVR0OBBYEFNFC9qd/
+SSYq7aDvLGsc4Fu7Fn5cMB8GA1UdIwQYMBaAFNFC9qd/SSYq7aDvLGsc4Fu7Fn5c
+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALWzu1PtNJYu9sWb
+A2iBixJuoK7y8EqCkGDp0e66mA+qAiEAyz7YdO7zhcHWgaUXqLwlVqe5cstVMsLv
+4TbLwQi+wfI=
+-----END CERTIFICATE-----
diff --git a/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh b/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh
new file mode 100644
index 00000000000..e2e38e38039
--- /dev/null
+++ b/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh
@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Witekio
+# SPDX-License-Identifier: Apache-2.0
+
+# Generate a root CA private key
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -out ca_privkey.pem
+
+# Generate a root CA certificate using private key
+openssl req \
+    -new \
+    -x509 \
+    -days 36500 \
+    -key ca_privkey.pem \
+    -out ca_cert.pem \
+    -subj "/O=Zephyrproject/CN=Zephyrproject Sample Development CA"
diff --git a/samples/net/sockets/http_server/src/certs/gen_server_cert.sh b/samples/net/sockets/http_server/src/certs/gen_server_cert.sh
new file mode 100644
index 00000000000..a088e708db2
--- /dev/null
+++ b/samples/net/sockets/http_server/src/certs/gen_server_cert.sh
@@ -0,0 +1,48 @@
+# Copyright (c) 2024, Witekio
+# SPDX-License-Identifier: Apache-2.0
+
+# Generate a server private key
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -out server_privkey.pem
+
+# Generate a certificate signing request using server key
+openssl req \
+    -new \
+    -sha256 \
+    -key server_privkey.pem \
+    -out server_csr.pem \
+    -subj "/O=Zephyrproject/CN=zephyr"
+
+# Create a file containing server CSR extensions
+echo "subjectKeyIdentifier=hash" > server_csr.ext
+echo "authorityKeyIdentifier=keyid,issuer" >> server_csr.ext
+echo "basicConstraints=critical,CA:FALSE" >> server_csr.ext
+echo "keyUsage=critical,digitalSignature" >> server_csr.ext
+echo "extendedKeyUsage=serverAuth" >> server_csr.ext
+echo "subjectAltName=DNS:zephyr.local,IP.1:192.0.2.1,IP.2:2001:db8::1" >> server_csr.ext
+
+# Create a server certificate by signing the server CSR using the CA cert/key
+openssl x509 \
+    -req \
+    -sha256 \
+    -CA ca_cert.pem \
+    -CAkey ca_privkey.pem \
+    -days 36500 \
+    -CAcreateserial \
+    -CAserial ca.srl \
+    -in server_csr.pem \
+    -out server_cert.pem \
+    -extfile server_csr.ext
+
+# Create DER encoded versions of server certificate and private key
+openssl ec \
+    -outform der \
+    -in server_privkey.pem \
+    -out server_privkey.der
+
+openssl x509 \
+    -outform der \
+    -in server_cert.pem \
+    -out server_cert.der
diff --git a/samples/net/sockets/http_server/src/certs/server_cert.der b/samples/net/sockets/http_server/src/certs/server_cert.der
index 2b664a4bdb2ce64d9e2f92d88aa163d09fd0a073..35b47f4487d90a6eb1142fc8756f54fa126a32be 100644
GIT binary patch
literal 543
zcmXqLVv;s!Vm!EjnTe5!Nkn<aF$OLc#Y*OY-Cx?)9blV&bLvq8E;bIWHji_*EX+&>
zZiZq8B5cf|EL=RiQK<zPl|=<b`B|ySC5Ac%S|D*|9%U49h2X^8f}B(Zm(;S<ocw~^
z)VvY}XGa4Cab6=6Lqj8TLqk(bLxU&@ej`JWfPpboz(5nHP5cJD5S!Slz%DR|G!SNE
z2Ro685$aZEMs{W=29}treiP;;DUVKFtG)7mVwA~+f&=DV?-|!$Kj7k^w&lV5Xr*T!
z3!{Fk>P-oJ*}A5AX2s=guKn!URvgEV%Wv27EnVEW+@NuZfh^EISw0pq7Lm`Lt9hn9
znB1HpnXMdmEOo-4@(5M~d62X+i-dt#gUCgvZ_DdF)wJF&c(0Q!^B{V+SY3<(4@iM9
zBjbM-CIbcoJ`j%|!~=#Xdjrt%K)xyq4=A9u*%(<_*_jy)^g)7xEE)!CO*{~9>gD7o
zC+4)X9AIE#Y!^^q<lVu50F217#O%Rf;L4=P(32hbxvFN`eKjqwPgev#^%TgwTQW1Z
y;%IoS@0P4qfhZ;g#v}J$#&P^k-+E}v^gCBYXE%S;-=D@cd5XZ3kn6K#q=W$;GpE7;

literal 693
zcmXqLV%liX#5j{lB<MlL2elat)%D9NZ}Lved|<F~a=HO88>d#AN85K^Mn-N{1_Kd8
zAp-$6=1>-99?sN?#N2|MRA)y61#w;@0|P@ta|25QLnDJI34S9(LrX&=BNM0qioTru
z<iwne{NfUzwMxhqFtRc*H!<=v0L8hOniv@w?)v9wG|V%a&#*IjdaQWp(~`qpzPFX+
zQgoOSwKvVXQ~RlYWkS}U8}=#J*e)d8y;!nVrDbu>ik^@kDXYAcf~pQKuP)zo+30&-
zdsL`W?2aE_c8Ub||GIFX(J^B};2(|hvNbb#i*={IPiDy3J$tJ&ci@?4VMWV=4&VCe
zed<tr7609wi7&I}@#TG9m-(tG`EyB#g1=I+wv*EyvzsU1-<lw}^{M`be^q@uXU+-P
zxiFy5&gIJXvJMA{bE+M)c{;p|=Fa-Gc3H<qf6mXIe5L`(%N0&O+;!?`s#){5_njt%
z=Rz}dRV5q>*i}zE-9BtHZF9qVy(`sT+oy{ksJnS;amZ=bj_*v&j0}v(Aq0#9U<ffX
z#45ViNLBL0GF^NiyQ@Fr3+IJ}(hYwE(suJ5aMYjf6MiRD`-9;z6{Z^2#rCF!cUJBT
zml0B)eSXWIxWiFxn_Ms6`NguU#s7sud*m^{69Nurb;Dm(zkHE?s&#*o(EaqR-#qp#
zPXr`>NL&?l7Jj%zSgmElFXmI`$*a$X#J<0sy{~v`PEt_XN{9Kv4~>gL4f1N!%QHKI
zrQ!?c2J27zSdg}K;<*B6sk_I_f9h;pVn08MKhh_xqvX6o-GpVLVd2xY%A(A-@$z5W
zA6>qdW5xTj>8pMAgl1+(2pQNNu1#6e`Z4|)(;s_#+qPfTUHR2lm>=v4@vgY1wJ2i3
MBGv5t+z!hv0H2m3zyJUM

diff --git a/samples/net/sockets/http_server/src/certs/server_privkey.der b/samples/net/sockets/http_server/src/certs/server_privkey.der
index 2269293fe790f2276d24bb62e5347e2d6e5b9cdf..5e6ab5bd1f40b157aacbb67134e5b7570d4b5e1d 100644
GIT binary patch
literal 121
zcmV-<0EYiCcLD(c1R&wN7$9xG6@HL>anzhNeC4h~d3qrY{8)4|9o(QzAf})S1_&yK
zNX|V20SBQ(13~}<TzZc*1Egf)%GQ0<?~z(G&~U&vithoh*T6(TCbZ!1TO#I2p<4ST
bE|gK}g{*^_c+<8;j|Xcy2*<}Cw=PX}kQg*4

literal 1219
zcmV;!1U&mNf&{+;0RS)!1_>&LNQU<f0RaI800e>rsW5^Br2+u}0)hbn0Nqb)D1e?a
zp8&aImt7ZC<#fYJP1_<KWGn(<E3%&4ee!>)U~2r>KV;Sh&|uxsbgd+Wqim>*RQP17
zN+MEv!KZt7vePp6ZiiY`B3-!n^tlvMkNVKSfk9}HQT!-(cC48Vb1jwcV*qTso3%p=
zQOxF6a;8$l+WAY$!e4q1-E5KRYMu^m^R8*?f@AY^R3J|xb1OnZyf)d%@7j<NwdF6c
z{(6qNnVeL)p-_%KMAWx-h(H+5C5W30h)Ob@n)0oti1AMe^GOahP-CYc$>F-n#bq{w
z_V0-_an4m}EhQL0a0eyJLfgYUma~AbF4TKUx0e^de%Z>SRLcd3_W}a}009Dm0RaG!
zDnpyyq31e$(;f_OH=9&LUdAGWmcg)_U4%E0mb$XCnj(|v8LAHpDTtP?vr%m06^$EJ
zZpnTE;H3hyxV~h-V=#o!93n{(=c4FC>CFRKQ-|zrZ1|YaI<imH!v=YUg>P9Ik-N}{
zy2<3c<rzz|$8+@vJW13XswR1m{}bQEhSuedeb0OcST5+imA&urwH^LAi;{%dV(k|O
zPIQ8_k8ti^g?flMcUmQDKO-3d))o=EBDJ~-^cmJ!X5DBta#kPm+23%9UqdqO6`#f;
zZUN?8{cTkf>WREtdn{P+&|LN!)p7{mIkU|!Zt`2R(;Pg#_N=yr%0Vbp2xs8}fq?+{
zc_*4}atI@kiq43z4w}weDdyNNVAbB4NkS;27<K+RtPTkX*aqc|TFkeHlw(P>(x^wl
z9J%b|Zc?z3;9TOiJK1`TB(hH8#oFnIv_f(!BjM<1Tj6}HlvN;ezG8sA3fPIW5j-m0
zrtNkO#a&BWxBBTNvSLcW2Sl27{uX5dfq?+z1E4J%6tye))MkM!X;Uf?8bH~Szs0u6
z*)cirwi2tZjOy<Wy=_zAdm{Thy`_@{;}=z{+%FtBBC%N#1;2%|6i&qioG|fpP;AFM
zQr0YTAhoyKraeW|F-x4`x*TQ8mqgf1po}JEhB&3fb)(SDq^*|7@U6kumAq^=p-w9T
zfq;3QW1<w>@!RH&>XpF<1p??`R2z_I*@ponczcJ58;AN9n=lmO7)}?cPxq}S7K$e|
z%_M>YTZQ&9fy?JR7<=cE*V;m7sn;&-g+MhbC^OY4hZM-K;ApehPU?Alz@8rI#vgD*
ziCnquP~ol5;^0<Wzc!0I3ms={r%9{erg;K^fdIi|ncV0VK0O#;Ai4V!GH8I)<Dn*~
z<!4R!o0<zELf^jP;`sDMl8+1BB_wvXThl?Y1wXRR#9nCjbNQMfsrnhZ!@RRrPUPIg
z!XA=&s1kOPYtE0%hBwU<2$21ozb;Sd^N5Nix%qD{(y2D$n3*SXzmXovly=Vrzm)+P
z`;`KLfdKV`&eM9Hvz)fvLiVS79$AwNA{Z|?NJCN&<~~Hv+91Oh*_4t8F}|)Z^0^wO
zTw3Ch_2Nxa<;{N_EB@YST(PbeituK%mV!u>64q^Ud%WP58WWvLp2efKx^7FEPDLiY
hlYUM(QL<8v)b323|FJ#?NUg;s4_k!y09su`yV-?yRI&g7